Ethical dilemmas‎ > ‎

A New Login...Par For The Course...Until Firesheep

posted Nov 9, 2010, 9:27 AM by Adam Shepler   [ updated Nov 9, 2010, 9:32 AM ]

Take a moment and think about how many logins (user names and passwords) you have created over the years to access even the most nominal information…from social networks to local news sites, you create new logins ALL THE TIME. Think you’re safe???

On Oct. 24th, 2010, a Firefox browsing extension called Firesheep was released. What’s the big deal, you ask, as browser extensions are a dime a dozen these days, but this one raises much cause for concern.

After installing the Firesheep “extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait. As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed: Double-click on someone, and you're instantly logged in as them.”

Because it is fairly uncommon for a website to securely encrypt anything but your initial login, you are left vulnerable to future logins that happen based on a cookie (you know when your login information automatically appears, or social networking websites automatically log you in based on your prior login). This vulnerability is known as “sidejacking”. The attacker gets a hold of your cookie via an open wireless network (as made dead simple by Firesheep) and allows them to do anything you would normally be able to do on that website. The creator of Firesheep states that “Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.” In my opinion, an odd way to “address” the issue, but no matter your feelings on the issue, just think twice the next time you’re browsing around on unsecured sites in your local coffee shop. To learn more about ways to circumvent this extension, check out this TechCrunch article.

Check out the Firesheep article with full extension description.

Comments